Security researchers participating in the Mobile Pwn2Own contest at the EuSecWest Conference in Amsterdam today demonstrated how to hack Android through Near Field Communication (NFC). The 0day exploit was developed by four MWR Labs employees (two in South Africa and two in the UK) for a Samsung Galaxy S 3 phone running Android 4.0.4 (Ice Cream Sandwich). Two separate security holes were leveraged to completely takeover the device, and download all the data from it.

The first, a memory corruption flaw, was exploited via NFC (by holding two Galaxy S 3s next to each other) to upload a malicious file, which in turn allowed the team to gain code execution on the device. The attack isn’t limited to NFC though; it can also be abused via other attack vectors, such as malicious websites or email attachments. The flaw had to be triggered 185 times in the exploit code in order to overcome some of the vulnerability’s limitations.

The malware then exploited a second vulnerability to gain full control over the device using privilege escalation. This undermined Android’s app sandbox model, allowing the attackers to install their customised version of Mercury, the company’s Android assessment framework.

Mercury was then used to exfiltrate user data on the device (such as contacts, emails, text messages, and pictures) to a remote listener. Not only could Mercury send away precious data while running in the background, but it could also make calls, such as to premium rate numbers.

The researchers noted that Android 4.0.4 features exploit mitigation features such as Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP), but there are shortcomings that allowed them to use the first vulnerability to control the device to trigger the second one. Here’s what they said:

Crucially, the ASLR implementation is incomplete in Android 4.0.4, and does not cover Bionic (Android’s linker) and /system/bin/app_process, which is responsible for starting applications on the device. Other protections which would make exploitation harder were also found to be absent.

The ASLR support in Android 4.0 only randomizes certain key locations, leaving other key parts of the Android operating system memory space as a predictable space to attackers. Thankfully, Android 4.1 (Jelly Bean) includes several new exploit mitigations as well as full implementation of ASLR and DEP.

MWR Labs, which won $30,000 for its hack, is planning a more technical blog post detailing the process of finding and exploiting this bug. It will only be published, however, once the vulnerability has been patched by Samsung. It’s not clear if pushing out Jelly Bean will be enough, but it should at least mitigate the problem.